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Lab SLogging in to the Administrative Portal 


In the presentation we saw how it was possible to get access to Administrative functionality 
directly by forceful browsing to the Administrator's page (admin.aspx) while be logged in as a 
normal user. This falls under OWASP’s Treat Category: Failure to Restrict URL Access. 


In this lab we are going to use forceful browsing to get access to the Administrators Login Page 
(a page which isn't exposed through normal site navigation) and use Information Leakage in 
order to log into the application. 


When we are done this lab we will have logged into the application as an Administrator using 
forceful browsing and information leakage techniques 


In this lab you will play the role of a malicious user. 


Lab Overview 

e 5.1: Forceful browse to administration section 
a. Does it exist? 
b. Is there a default page? 
c. What might you name a login page? 

e 5.2 Ask some questions about the login page 
a. Is there a username associated with the password? 
b. Is the password static? 
c. What might | use for a password? 
d. Where might | look for a password? 


e 5.3 Exploit 
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5.1 Forceful Browse to Administrative Section 


__1. Open a Firefox browser by selecting the icon on the desktop 


Mozilla Firefox 








__2. Locate the Administrator's Login Page 


Some approaches a user can use: 


@ What is a name of a directory you might use for an 
administration section? 


@ 
e Try administration, admin as possible path names 


@ = What was the banking section directory name 
(http://demo.testfire.net/bank/) 


__a. Enter http://demo.testfire.net/administration 





Address | 2] http:/demo.testfire net/administration 
The page cannot be found 
The page you are looking for might have been removed, had its name changed, or 


is temporarily unavailable, 


Please try the following: 


Make sure that the Web site address displayed in the address bar of your 
browser is spelled and formatted correctly. 

If you reached this page by clicking a link, contact the Web site 
administrator to alert ther that the link is incorrectly formatted, 

Click the Back button to try another link. 


HTTP Error 404 - File or directory not found. 
Internet Information Services (115) 





@ 
The page is not found so we no the page does not exist 
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__b. Enter http://demo.testfire.net/admin 





Directory Listing Denied 


This Virtual Directory does not allow contents to be listed. 





@ 6 6 0 . 
4 We learn that an admin section exists but we receive a not 
authorized error message and cannot access it. 


__3. Navigate to Login Page 


e If you wanted to create a page that would allow an 
administrator to login to the admin portal what might 
you call it? 


—  signon.aspx/login.aspx/logon.aspx (what did 
the user sign on page look like??) 


What was the login page for the banking 
application?? 


__a._ Enter http://demo.testfire.net/admin/login.aspx to see if it exists 








Administration Login 


Enter the code shown above: 


oem 


Enter the administrative password: 


— 








The numeric code will differ each time the admin login page is 
accessed. 
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__b. Review Login page and try various passwords 


A person could try various guesses and may guess their way 
into the site. 


e Password, password, password1, Password] 
e = Admin, admin, Admin1, admin1 


e Altoro, Altoro, Altorol, altorol 


__c. Review Source to see if there’s password information 


Interesting information can be found by reading HTML 

comments. This information is considered to be ‘hidden’ from 
the user, but in fact is easier to access and is another source for 
information leakage. 


__i. Right click on the page and Select View Page Source 





Back 
Forward 
Reload 


St 0 D 


Bookmark This Page... 
Save Page As... 
Send Link... 


View Background Image 


Select All 


Yiew Page Source 


View Page Info 








i. Select Edit >Find 


__il.. Search for Password by typing password 





__i.. Close Source 
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__d. Enter the Password Altoro1234 and see if it works (note password is case sensitive) 





Administration Login 


Enter the code shown above: 
198086 


Enter the administrative password: 


[arctic 


Submit 








The password still works and the user has gained access to the 
administration page 





Application Information 


Session Contents Information 
userId 100416016 
userName admin 
firstName Admin 
lastName User 
authenticated True 
this Page fadmin/login. aspx 
admin True 
Application Contents Information 


Visitors 10357 


rootPath / 





__4. Close Browser 
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